d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc

Analysis

resource
win7

Sharing

Copy URL

Twitter E-mail

General

Target

amix
Sample

190902-nwtlcy8qcx
SHA256

d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc

Score

N/A

Malware Config

Signatures

Drops file in system dir 51 IoCs

at	description	ioc	Process
7145	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\760-0\Microsoft.PowerShell.Commands.Utility.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll	mscorsvw.exe
7161	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll.aux	mscorsvw.exe
7192	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\760-0	mscorsvw.exe
8674	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\750-0\Microsoft.PowerShell.ConsoleHost.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll	mscorsvw.exe
8674	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll.aux	mscorsvw.exe
8721	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\750-0	mscorsvw.exe
12075	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\720-0\Microsoft.PowerShell.Core.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll	mscorsvw.exe
12075	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll.aux	mscorsvw.exe
12137	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\720-0	mscorsvw.exe
13635	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7f4-0\Microsoft.PowerShell.Diagnostics.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll	mscorsvw.exe
13651	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux	mscorsvw.exe
13682	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7f4-0	mscorsvw.exe
25787	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\32c-0\Microsoft.PowerShell.Editor.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll	mscorsvw.exe
25803	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll.aux	mscorsvw.exe
26037	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\32c-0	mscorsvw.exe
33915	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5a4-0\Microsoft.PowerShell.GPowerShell.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll	mscorsvw.exe
33931	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll.aux	mscorsvw.exe
33993	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5a4-0	mscorsvw.exe
36785	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\524-0\Microsoft.PowerShell.GraphicalHost.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll	mscorsvw.exe
36785	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll.aux	mscorsvw.exe
36848	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\524-0	mscorsvw.exe
37581	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\668-0\Microsoft.PowerShell.ISECommon.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll	mscorsvw.exe
37597	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll.aux	mscorsvw.exe
37628	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\668-0	mscorsvw.exe
41232	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5b8-0\Microsoft.PowerShell.Management.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\5f7b8221a7d5c538f4354305f034f3ed\Microsoft.PowerShell.Management.Activities.ni.dll	mscorsvw.exe
41232	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\5f7b8221a7d5c538f4354305f034f3ed\Microsoft.PowerShell.Management.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\5f7b8221a7d5c538f4354305f034f3ed\Microsoft.PowerShell.Management.Activities.ni.dll.aux	mscorsvw.exe
41294	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5b8-0	mscorsvw.exe
43228	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6a0-0\Microsoft.PowerShell.ScheduledJob.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\4426e25e1efde40881762cc23d7aaa56\Microsoft.PowerShell.ScheduledJob.ni.dll	mscorsvw.exe
43244	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\4426e25e1efde40881762cc23d7aaa56\Microsoft.PowerShell.ScheduledJob.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\4426e25e1efde40881762cc23d7aaa56\Microsoft.PowerShell.ScheduledJob.ni.dll.aux	mscorsvw.exe
43322	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6a0-0	mscorsvw.exe
44383	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\344-0\Microsoft.PowerShell.Security.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\6b4f2136bd5323034fb9ff6c304b1e3e\Microsoft.PowerShell.Security.ni.dll	mscorsvw.exe
44398	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\6b4f2136bd5323034fb9ff6c304b1e3e\Microsoft.PowerShell.Security.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\6b4f2136bd5323034fb9ff6c304b1e3e\Microsoft.PowerShell.Security.ni.dll.aux	mscorsvw.exe
44476	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\344-0	mscorsvw.exe
45724	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\25c-0\Microsoft.PowerShell.Security.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\7621dae1e55ea8ab099a898f35536dba\Microsoft.PowerShell.Security.Activities.ni.dll	mscorsvw.exe
45724	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\7621dae1e55ea8ab099a898f35536dba\Microsoft.PowerShell.Security.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\7621dae1e55ea8ab099a898f35536dba\Microsoft.PowerShell.Security.Activities.ni.dll.aux	mscorsvw.exe
45771	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\25c-0	mscorsvw.exe
49484	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\75c-0\Microsoft.PowerShell.Utility.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll	mscorsvw.exe
49500	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll.aux	mscorsvw.exe
49578	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\75c-0	mscorsvw.exe
54024	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7e8-0\Microsoft.PowerShell.Workflow.ServiceCore.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll	mscorsvw.exe
54039	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux	mscorsvw.exe
54102	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7e8-0	mscorsvw.exe
56254	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\518-0\Microsoft.Windows.DSC.CoreConfProviders.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll	mscorsvw.exe
56254	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll.aux	mscorsvw.exe
56286	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\518-0	mscorsvw.exe
57409	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\334-0\Microsoft.WSMan.Management.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\5485e11ac0e4f0f52bde2b8cfdc783ae\Microsoft.WSMan.Management.ni.dll	mscorsvw.exe
57424	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\5485e11ac0e4f0f52bde2b8cfdc783ae\Microsoft.WSMan.Management.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\5485e11ac0e4f0f52bde2b8cfdc783ae\Microsoft.WSMan.Management.ni.dll.aux	mscorsvw.exe
57471	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\334-0	mscorsvw.exe
59281	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\448-0\Microsoft.WSMan.Management.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\31442bf47481031d2ffc618719a526d4\Microsoft.WSMan.Management.Activities.ni.dll	mscorsvw.exe
59296	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\31442bf47481031d2ffc618719a526d4\Microsoft.WSMan.Management.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\31442bf47481031d2ffc618719a526d4\Microsoft.WSMan.Management.Activities.ni.dll.aux	mscorsvw.exe
59374	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\448-0	mscorsvw.exe

Loads dropped DLL
Suspicious behavior: EnumeratesProcesses

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

at	description	ioc	Process
20702	Set value (str)	\REGISTRY\USER\S-1-5-21-2407604620-1456373808-453316147-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e7f5b479-5974-4b8a-aa02-c907649735c5\\amix.exe\" --AutoStart"	amix.exe

Suspicious use of WriteProcessMemory 2 IoCs

at	description	Process	procid_target
20733	PID 1800 wrote to memory of 1824	amix.exe	39
23213	PID 1800 wrote to memory of 1592	amix.exe	40

C:\Users\Admin\AppData\Local\Temp\amix.exe
C:\Users\Admin\AppData\Local\Temp\amix.exe
1⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 224 -NGENProcess 234 -Pipe 238 -Comment "NGen Worker Process"
1⤵
PID:1640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 244 -NGENProcess 22c -Pipe 214 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 22c -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
1⤵
PID:1920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 24c -NGENProcess 234 -Pipe 21c -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 234 -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
1⤵
PID:832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 254 -NGENProcess 23c -Pipe 224 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 23c -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
1⤵
PID:1952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 244 -Pipe 22c -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:2036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 23c -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"
1⤵
PID:1804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 218 -NGENProcess 244 -Pipe 234 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:812

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e7f5b479-5974-4b8a-aa02-c907649735c5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
1⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\amix.exe
"C:\Users\Admin\AppData\Local\Temp\amix.exe" --Admin IsNotAutoStart IsNotTask
1⤵
PID:1592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 244 -NGENProcess 204 -Pipe 260 -Comment "NGen Worker Process"
1⤵
PID:1988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 26c -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 218 -Pipe 268 -Comment "NGen Worker Process"
1⤵
PID:832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 274 -NGENProcess 204 -Pipe 23c -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 264 -NGENProcess 27c -Pipe 26c -Comment "NGen Worker Process"
1⤵
PID:1792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 20c -NGENProcess 204 -Pipe 244 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 204 -NGENProcess 25c -Pipe 278 -Comment "NGen Worker Process"
1⤵
PID:352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 284 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 288 -NGENProcess 284 -Pipe 138 -Comment "NGen Worker Process"
1⤵
PID:1940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 218 -NGENProcess 20c -Pipe 24c -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 280 -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"
1⤵
PID:888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 28c -NGENProcess 204 -Pipe 290 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 10c -InterruptEvent 274 -NGENProcess 294 -Pipe 280 -Comment "NGen Worker Process"
1⤵
PID:544

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 204 -Pipe 284 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:604

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 204 -NGENProcess 10c -Pipe 28c -Comment "NGen Worker Process"
1⤵
PID:1232

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 29c -NGENProcess 294 -Pipe 20c -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 264 -NGENProcess 294 -Pipe 2a0 -Comment "NGen Worker Process"
1⤵
PID:1944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2ac -NGENProcess 10c -Pipe 2a8 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:2024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 10c -NGENProcess 2a4 -Pipe 25c -Comment "NGen Worker Process"
1⤵
PID:592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 10c -InterruptEvent 2b4 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 294 -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
1⤵
PID:1624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 264 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
1⤵
PID:1640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 10c -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1096

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2a4 -Comment "NGen Worker Process"
1⤵
PID:1184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 29c -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1060

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads